EP0768773B1 - Method of establishing a common key for authorised users by means of a threshold scheme - Google Patents

Method of establishing a common key for authorised users by means of a threshold scheme Download PDF

Info

Publication number
EP0768773B1
EP0768773B1 EP96107509A EP96107509A EP0768773B1 EP 0768773 B1 EP0768773 B1 EP 0768773B1 EP 96107509 A EP96107509 A EP 96107509A EP 96107509 A EP96107509 A EP 96107509A EP 0768773 B1 EP0768773 B1 EP 0768773B1
Authority
EP
European Patent Office
Prior art keywords
key
shadows
central office
persons
authorized
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
EP96107509A
Other languages
German (de)
French (fr)
Other versions
EP0768773A1 (en
Inventor
Jörg Dr.rer.nat. Schwenk
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Deutsche Telekom AG
Original Assignee
Deutsche Telekom AG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Deutsche Telekom AG filed Critical Deutsche Telekom AG
Publication of EP0768773A1 publication Critical patent/EP0768773A1/en
Application granted granted Critical
Publication of EP0768773B1 publication Critical patent/EP0768773B1/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • H04L9/0833Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
    • H04L9/0836Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key using tree structure or hierarchical structure
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution
    • H04L2209/601Broadcast encryption

Definitions

  • the invention relates to a method in the preamble of Claim 1 more precisely defined type Process is by C.-S. LAIH & S.-M. YEN in "On the Design of Conference Key Distribution Systems for the Broadcasting Networks ".
  • Encryption methods in various ways are part of the State of the art and increasingly gain commercial Meaning. They have been used recently to Broadcast media messages to send, but only the owner of a crypto key can read these messages in plain text.
  • Messages from a central station Z are to authorized persons, which are hereinafter referred to as P 1, ..., P n, where n ⁇ m holds and P is the total number of persons through a broadcasting medium (terrestrial broadcasting, satellite, cable), or other unsecured channels are sent.
  • P 1 authorized persons
  • P n the total number of persons through a broadcasting medium (terrestrial broadcasting, satellite, cable), or other unsecured channels are sent.
  • Each person P i from P is assigned a personal key k i that only the person himself and the central office Z know.
  • This method is used e.g. B. in the Pay TV system Eurocrypt (DIN EN 50 094) is used to establish a system key.
  • the invention has for its object to provide a method that requires less computing power and is still sufficiently safe.
  • a key operated One-way function is a one-way function f () with two arguments k and a, where the value k is considered the key can be.
  • n 2n-l nodes are selected as shadows.
  • a unique polynomial of degree nl is defined. This polynomial intersects the y-axis at a clearly defined point.
  • the poles (a 1 , b 1 ), ..., (a n , b n ) define a polynomial p (x) of degree n-1.
  • the clear intersection k: p (0) this polynomial with the y-axis is the common key for P 1 , ..., P n . So that the authorized persons P l , ..., P n can calculate this value k, the control center nl selects further support points (c l , d l ), ..., (c nl , d nl ), which are determined by (a 1 , b 1 ), ..., (a n , b n ) must be different. These can be sent to all persons from P together with the additional information required to calculate the support points (e.g. the random number r from 3rd).
  • the selected person P i adds the support point (a i , b i ) to the set (c l , d l ), ..., (c nl , d nl ), which only he and the control center can calculate, since only he and the control center know the personal key k i .
  • the unauthorized persons P i (n + l ⁇ i ⁇ m) cannot calculate the key k, because the support points (a i , b i ) that they can calculate are not on the graph of p (x).
  • a key-controlled to derive the support points One-way function i.e. a variant of the procedure (3.) or Use (4.) to rule out possible attacks that possible when using the weaker variants (1.) and (2.) would be.
  • One-way function i.e. a variant of the procedure (3.) or Use (4.) to rule out possible attacks that possible when using the weaker variants (1.) and (2.) would be.
  • an unauthorized attacker is one after this Method established key k could only break if he could reverse the one-way function.

Abstract

The method is operated at an exchange which is connected to a number of subscribers by insecure (especially radio) channels. A "shadow" is derived from the personal key of each authorised subscriber, and a key is constructed from the totality of such "shadows". Data for construction of the key are transmitted so that each authorised subscriber can derive the common key from his or her personal key, by computation from the associated "shadow" with the aid of the others.

Description

Die Erfindung betrifft ein Verfahren der im Oberbegriff des Patentanspruchs 1 näher definierten Art. Ein derartiges Verfahren ist von C.-S. LAIH & S.-M. YEN in "On the Design of Conference Key Distribution Systems for the Broadcasting Networks" beschrieben.The invention relates to a method in the preamble of Claim 1 more precisely defined type Process is by C.-S. LAIH & S.-M. YEN in "On the Design of Conference Key Distribution Systems for the Broadcasting Networks ".

Verschlüsselungsverfahren in vielfältiger Art gehören zum Stand der Technik und gewinnen zunehmend an kommerzieller Bedeutung. Sie werden in der letzten Zeit dazu eingesetzt, Nachrichten über allgemein zugängliche Übertragungsmedien zu verschicken, wobei aber nur die Besitzer eines Krypto-Schlüssels diese Nachrichten im Klartext lesen können.Encryption methods in various ways are part of the State of the art and increasingly gain commercial Meaning. They have been used recently to Broadcast media messages to send, but only the owner of a crypto key can read these messages in plain text.

Für einen derartigen Einsatz werden vielfach symmetrische Verschlüsselungsalgorithmen verwendet (für die Definition eines symmetrischen Verschlüsselungsalgorithmus siehe auch A. Beutelspacher: Kryptologie, Vieweg Verlag 1994).For such an application, symmetrical designs are often used Encryption algorithms used (for the definition a symmetric encryption algorithm see also A. Beutelspacher: Kryptologie, Vieweg Verlag 1994).

Nachfolgend soll kurz an einem Beispiel ein derartiger Einsatz erläutert werden:
Nachrichten einer Zentrale Z sollen an autorisierte Personen, die nachfolgend mit P1, ..., Pn bezeichnet werden, wobei n ≤ m gilt und P die Gesamtzahl der Personen bedeutet, über ein Rundfunkmedium (terrestrischer Rundfunk, Satellit, Kabelnetz) oder andere ungesicherte Kanäle gesendet werden.An application of this type is briefly explained below using an example:
Messages from a central station Z are to authorized persons, which are hereinafter referred to as P 1, ..., P n, where n ≤ m holds and P is the total number of persons through a broadcasting medium (terrestrial broadcasting, satellite, cable), or other unsecured channels are sent.

Jeder Person Pi aus P ist ein persönlicher Schlüssel ki zugeordnet, den nur die Person selbst und die Zentrale Z kennen. Die Zentrale Z wählt nun den Schlüssel k und verschlüsselt ihn für i= 1, ..., N mit dem jeweiligen persönlichen Schlüssel ki: Ci= E(ki, k). Each person P i from P is assigned a personal key k i that only the person himself and the central office Z know. The control center Z now selects the key k and encrypts it for i = 1, ..., N with the respective personal key k i : C. i = E (k i, k).

Dieses Kryptogramm wird dann an die ausgewählte autorisierte Person Pi geschickt, die den Schlüssel k berechnen kann, indem sie das Kryptogramm entschlüsselt: D(ki,Ci)=D(ki,E(ki,k))=k. This cryptogram is then sent to the selected authorized person P i , who can calculate the key k by decrypting the cryptogram: D (k i, C. i ) = D (k i , E (k i, k)) = k.

Dieses Verfahren wird z. B. im Pay-TV-System Eurocrypt (DIN EN 50 094) zum Etablieren eines Systemschlüssels eingesetzt.This method is used e.g. B. in the Pay TV system Eurocrypt (DIN EN 50 094) is used to establish a system key.

Der Nachteil dieses Verfahrens besteht darin, daß der Schlüssel k verschlüsselt übertragen wird. In vielen Staaten steht die Verwendung eines Verschlüsselungsalgorithmus unter rechtlichen Vorbehalten. Dies könnte z. B. dazu führen, daß der oben verwendete Algorithmus E (für engl. "encryption") sehr schwach sein muß.The disadvantage of this method is that the key k is transmitted encrypted . In many countries, the use of an encryption algorithm is subject to legal reservations. This could e.g. B. lead to the fact that the algorithm E used above (for English "encryption") must be very weak.

Das erwähnte, der Erfindung am nächsten liegender Verfahren ist das von C.-S. LAIH u. S.-M. Yen in "On the Design of Conference Key Distribution Systems for the Broadcasting Networks" beschriebene. Es dient beim Rechnerverbund zum Etablieren einer gemeinsamen geheimen Information k als Schlüssel für autorisierte Personen aus einer größeren Personengruppe und wird durch einen "chairman" als zentrale Instanz bzw. Zentrale vergeben. Diese Zentrale Z entscheidet darüber, welche Personen aus einer Personengruppe autorisiert sind. Das Verfahren garantiert, daß nur diese Personen den Schlüssel erhalten bzw. berechnen können und verwendet die Schritte, daß

  • jede Person Pi des vorgegebenen Personenkreises P einen persönlichen Schlüssel ki besitzt, der nur dieser Person Pi und der Zentrale Z bekannt ist,
  • in der Zentrale unter Verwendung eines gemeinsamen Parameters r und einer Einwegfunktion f() für jede der n autorisierten Personen aus dem persönlichen Schlüssel ki ein nachfolgend als shadow si bezeichnetes Teilgeheimnis abgeleitet wird,
  • danach in der zentralen Instanz aus den shadows aller autorisierten Personen ein (n,t)-Threshold-Verfahren mit t≥2n-1 konstruiert und aus den shadows s1 ....sn ein Schlüssel k berechnet wird,
  • danach die Daten zur Konstruktion von k über den ungesicherten Kanal übertragen werden,
  • die es letztlich den empfangenden autorisierten Personen P1, ..., Pn ermöglichen, aus ihrem persönlichen Schlüssel ki den ihnen zugeordneten shadow si abzuleiten und daraus mit Hilfe der mit übertragenden n-1 weiteren shadows sowie dem (n,t)-Threshold-Verfahrens den Krypto-Schlüssel k zu berechnen.
The mentioned method closest to the invention is that of C.-S. LAIH u. S.-M. Yen in "On the Design of Conference Key Distribution Systems for the Broadcasting Networks". It is used in the computer network to establish shared secret information k as a key for authorized persons from a larger group of people and is assigned by a "chairman" as the central instance or center. This central Z decides which people from a group of people are authorized. The process guarantees that only these people can receive or calculate the key and uses the steps that
  • each person P i of the specified group of people P has a personal key k i that is known only to this person P i and the central office Z,
  • in the control center, using a common parameter r and a one-way function f () for each of the n authorized persons, a partial secret, hereinafter referred to as shadow s i, is derived from the personal key k i ,
  • then an (n, t) threshold method with t≥2n-1 is constructed from the shadows of all authorized persons in the central instance and a key k is calculated from the shadows s 1 .... s n ,
  • then the construction data of k is transmitted over the unsecured channel,
  • which ultimately enable the receiving authorized persons P 1, ..., P n to derive the shadow s i assigned to them from their personal key k i and to use them to transfer further shadows and the (n, t) -Threshold procedure to calculate the crypto key k.

Dieses Verfahren ist für den Verbund leistungsfähiger Rechner vorgesehen und läßt deshalb unberücksichtigt, daß die Rechenleistung der vielfach verwendeten Zusatzgeräte für die Empfangsgeräte wesentlich geringer ist. Da die Menge der autorisierten Personen eine sich zeitlich ändernde Teilnahme einer Gesamtmenge von Teilnehmern ist, die sich für jede Sendung ändern kann, muß die Berechnung andererseits schnell und trotzdem gegen mögliche Angriffe hinreichend sicher sein. This process is for the network of powerful computers provided and therefore does not take into account that the Computing power of the widely used additional devices for the receiving devices is much lower. Because the crowd of the authorized persons changes over time Attendance is a total of participants who are interested on the other hand, the calculation must change for each shipment fast and yet sufficient against possible attacks be sure.

Der Erfindung liegt die Aufgabe zugrunde, ein Verfahren anzugeben, das eine geringere Rechenleistung erfordert und dennoch hinreichend sicher ist.The invention has for its object to provide a method that requires less computing power and is still sufficiently safe.

Diese Aufgabe wird mit den im Kennzeichen des Patentanspruchs 1 dargelegten Verfahrensschritten gelöst.This task is carried out in the characterizing part of the claim 1 described procedural steps solved.

Mit den verringerten Anforderungen an die Rechnerleistung erweitert sich das Anwendungsgebiet dieses sehr sicheren Verfahrens auch auf die Bereiche des täglichen Lebens, für die zunehmend auch eine kryptologische Sicherheit verlangt wird, wobei aber aus wirtschaftlichen Gründen die Rechnerleistung minimal sein muß, beispielsweise Dekoder für Pay-TV, T-Online für geschlossene Benutzergruppen, usw.With the reduced demands on computer performance the field of application of this very safe expands Procedure also applies to the areas of daily life, for which increasingly demands cryptological security is, but for economic reasons the computing power must be minimal, for example decoders for pay TV, T-Online for closed user groups, etc.

Hinsichtlich zusätzlicher kryptologischer Sicherheit sind vorteilhafte Weiterbildungen in den Kennzeichen der Unteransprüche 2 und 3 angeführt.With regard to additional cryptological security advantageous developments in the characteristics of the subclaims 2 and 3 listed.

Das Grundprinzip, vom dem die Erfindung, die nachfolgend an Ausführungsbeispielen näher beschrieben wird, ausgeht, ist darin zu sehen, mit Methoden der symmetrischen Kryptographie die Funktionalität des in der DIN EN 50 094 beschriebenen Verfahrens nachzubilden, ohne Verschlüsselungsverfahren zu verwenden. Hierbei wird auf eine Kombination einer schlüsselgesteuerten Einwegfunktion mit einem Threshold-Verfahren (A. Shamir: How to Share a Secret. Comm. ACM, Vol. 24, Nr. 11, 1979, 118-119) zurückgegriffen. Dadurch kann bei Einhaltung rechtlicher Bestimmungen die Sicherheit des Schlüsselverteilmechanismus verbessert werden.The basic principle from which the invention follows Embodiments is described in more detail, is to be seen in it using methods of symmetric cryptography the functionality of that described in DIN EN 50 094 To reproduce the process without encryption to use. Here, a combination of key-operated one-way function with a threshold procedure (A. Shamir: How to Share a Secret. Comm. ACM, Vol. 24, No. 11, 1979, 118-119). Thereby can comply with legal security of the key distribution mechanism can be improved.

Eine Einwegfunktion (vgl. Beutelspacher, s. o.) ist eine Funktion g(·), die sich leicht auswerten läßt (d. h. für jeden Wert a ist g(a) leicht berechenbar), für die es aber praktisch unmöglich ist, zu einem gegebenen Bildwert b ein Urbild a zu finden, so daß g(a)=b gilt. Eine schlüsselgesteuerte Einwegfunktion ist eine Einwegfunktion f() mit zwei Argumenten k und a, wobei der Wert k als Schlüssel angesehen werden kann.A one-way function (see Beutelspacher, see above) is one Function g (·), which is easy to evaluate (i.e. for any value a is g (a) easily computable), but for which it is practically impossible to enter a given image value b To find archetype a, so that g (a) = b holds. A key operated One-way function is a one-way function f () with two arguments k and a, where the value k is considered the key can be.

Mit einem (n,t)-Threshold-Verfahren kann man ein Geheimnis k so in t Teile, die shadows genannt werden, zerlegen, daß dieses Geheimnis aus je n der t shadows rekonstruiert werden kann.With an (n, t) threshold method one can break down a secret k into t parts called shadows in such a way that this secret can be reconstructed from each of the t shadows.

Als Beispiel für ein solches (n,t)-Threshold-Verfahren soll im folgenden ein Polynom vom Grad n-1 dienen, aus dem t=2n-l Stützstellen als Shadows ausgewählt werden.
Durch Angabe von n Stützstellen, d. h. von n Paaren (xi,yi) (i=l,..., n) von Elementen eines Körpers mit unterschiedlichen x-Komponenten, wird ein eindeutiges Polynom vom Grad n-l definiert. Dieses Polynom schneidet die y-Achse in einem eindeutig definierten Punkt.As an example of such a (n, t) threshold method, a polynomial of degree n-1 is to be used below, from which t = 2n-l nodes are selected as shadows.
By specifying n interpolation points, ie n pairs (x i, y i ) (i = l, ..., n) of elements of a body with different x components, a unique polynomial of degree nl is defined. This polynomial intersects the y-axis at a clearly defined point.

Zum Etablieren eines gemeinsamen Schlüssels für autorisierten Personen Pl,..., Pn wird zunächst jeder Person Pi aus P unter Verwendung des persönlichen Schlüssels ki eine Stützstelle (ai,bi) zugeordnet. Dies kann auf verschiedene Art und Weise geschehen:

  • 1. (ai, bi):= (i, ki),
  • 2. (ai,bi):= (l, g(ki)) für eine Einwegfunktion g(·),
  • 3. (ai,bi):=(i, f(r, ki)) für eine schlüsselgesteuerte Einwegfunktion f() und eine Zufallszahl r,
  • 4. (ai,bi):=(f(r, li), f(r, li')) für eine schlüsselgesteuerte Einwegfunktion f(), eine Zufallszahl r und ki=(li, li'),
    • usw.In order to establish a common key for authorized persons P l, ..., P n , a support point (a i , b i ) is first assigned to each person P i from P using the personal key k i . This can be done in several ways:
  • 1. (a i , b i ): = (i, k i ),
  • 2. (a i , b i ): = (l, g (k i )) for a one-way function g (·),
  • 3. (a i , b i ): = (i, f (r, k i )) for a key-controlled one-way function f () and a random number r,
  • 4. (a i , b i ): = (f (r, l i ), f (r, l i ')) for a key-controlled one-way function f (), a random number r and k i = (l i , l i '),
    • etc.

    Durch die Stützstellen (a1,b1), ..., (an,bn) wird ein Polynom p(x) vom Grad n-1 festgelegt. Der eindeutige Schnittpunkt k:=p(0) dieses Polynoms mit der y-Achse ist der gemeinsame Schlüssel für P1, ..., Pn. Damit die autorisierten Personen Pl,...,Pn diesen Wert k berechnen können, wählt die Zentrale n-l weitere Stützstellen (cl, dl),..., (cn-l, dn-l), die von (a1,b1), ..., (an,bn) verschieden sein müssen. Diese können zusammen mit der zur Berechnung der Stützstellen nötigen Zusatzinformation (z. B. die Zufallszahl r aus 3.) an alle Personen aus P gesendet werden.The poles (a 1 , b 1 ), ..., (a n , b n ) define a polynomial p (x) of degree n-1. The clear intersection k: = p (0) this polynomial with the y-axis is the common key for P 1 , ..., P n . So that the authorized persons P l , ..., P n can calculate this value k, the control center nl selects further support points (c l , d l ), ..., (c nl , d nl ), which are determined by (a 1 , b 1 ), ..., (a n , b n ) must be different. These can be sent to all persons from P together with the additional information required to calculate the support points (e.g. the random number r from 3rd).

    Nur die ausgewählten Personen Pi (l≤i≤n) können jetzt den Schlüssel k berechnen. Dazu fügt die ausgewählte Person Pi der Menge (cl,dl),..., (cn-l, dn-l) die Stützstelle (ai,bi) hinzu, die nur er und die Zentrale berechnen können, da nur er und die Zentrale den persönlichen Schlüssel ki kennen. Die so erhaltenen n Stützstellen legen das Polynom p(x) und damit auch die Zahl k=p(0) eindeutig fest.Only the selected people P i (l≤i≤n) can now calculate the key k. For this purpose, the selected person P i adds the support point (a i , b i ) to the set (c l , d l ), ..., (c nl , d nl ), which only he and the control center can calculate, since only he and the control center know the personal key k i . The n support points thus obtained uniquely determine the polynomial p (x) and thus also the number k = p (0).

    Die nicht autorisierten Personen Pi (n+l ≤ i ≤ m) können den Schlüssel k nicht berechnen, da die von ihnen berechenbaren Stützstellen (ai,bi) nicht auf dem Graphen von p(x) liegen.The unauthorized persons P i (n + l ≤ i ≤ m) cannot calculate the key k, because the support points (a i , b i ) that they can calculate are not on the graph of p (x).

    Entsprechend der im Anspruch 1 angegebenen Erfindung wurde zur Ableitung der Stützstellen eine schlüsselgesteuerte Einwegfunktion, also eine Variante der Verfahren (3.) oder (4.) verwenden, um mögliche Angriffe auszuschließen, die bei Verwendung der schwächeren Varianten (1.) und (2.) möglich wären. In diesem Fall kann eindeutig gezeigt werden, daß ein nicht autorisierter Angreifer einen nach diesem Verfahren etablierten Schlüssel k nur dann brechen könnte, wenn er die Einwegfunktion umkehren könnte.According to the invention specified in claim 1 a key-controlled to derive the support points One-way function, i.e. a variant of the procedure (3.) or Use (4.) to rule out possible attacks that possible when using the weaker variants (1.) and (2.) would be. In this case it can be clearly shown that an unauthorized attacker is one after this Method established key k could only break if he could reverse the one-way function.

    Claims (3)

    1. Method for establishing a common key k for authorized persons by means of a threshold procedure, through a central office Z, over unsecured channels, particularly a broadcasting medium, with the following steps:
      Each person Pi of the given group of persons P possesses a personal key ki which is only known to that person Pi and to a central office Z;
      at the central office Z, a partial secret, in the following designated as shadow si, is derived for each of the n authorized persons from their personal key ki, using a common parameter r and a one-way function f();
      subsequently, an (n, t) threshold procedure with t ≥ 2n-1 is constructed from the shadows of all authorized persons, and a key k is calculated from the shadows s1 ... sn;
      then, the data for the construction of k are transmitted over the unsecured channel;
      finally, these data allow the receiving authorized persons Pi, ..., Pn to derive from their personal key ki the shadow si assigned to them and - using the other n-1 shadows that were also transmitted as well as the (n, t) threshold procedure - to compute from this the crypto-key k, characterized in that at the central office Z, in order to distribute crypto-keys to a subset, varying over time, of a universal set of a given group of persons consisting of P participants, shadows si of the following types are derived from the personal ki of each authorized person Pi:
      si = (i, f(r, ki)) for a one-way function f ( ) and a random number r; or
      si = (f (r, 1i), f(r, li')) for a one-way function f ( ), a random number r and ki = (li, li').
    2. A method in accordance with claim 1, characterized in that the (n, t) threshold procedure is carried out using a polynomial of degree n-1, which is uniquely defined by n interpolation nodes derived using the shadows and from which additional shadows are obtained at the central office by selecting points on the graph of the polynomial that are different from the interpolation nodes obtained from the shadows of the authorized participants.
    3. A method in accordance with claim 1, characterized in that it is used for successively establishing a hierarchy of keys.
    EP96107509A 1995-10-14 1996-05-10 Method of establishing a common key for authorised users by means of a threshold scheme Expired - Lifetime EP0768773B1 (en)

    Applications Claiming Priority (2)

    Application Number Priority Date Filing Date Title
    DE19538385A DE19538385A1 (en) 1995-10-14 1995-10-14 Procedure for establishing a common key for authorized persons by a central office
    DE19538385 1995-10-14

    Publications (2)

    Publication Number Publication Date
    EP0768773A1 EP0768773A1 (en) 1997-04-16
    EP0768773B1 true EP0768773B1 (en) 1999-11-03

    Family

    ID=7774922

    Family Applications (1)

    Application Number Title Priority Date Filing Date
    EP96107509A Expired - Lifetime EP0768773B1 (en) 1995-10-14 1996-05-10 Method of establishing a common key for authorised users by means of a threshold scheme

    Country Status (8)

    Country Link
    US (1) US5903649A (en)
    EP (1) EP0768773B1 (en)
    AT (1) ATE186432T1 (en)
    AU (1) AU721074B2 (en)
    CA (1) CA2181972A1 (en)
    DE (2) DE19538385A1 (en)
    NO (1) NO962672L (en)
    NZ (1) NZ299014A (en)

    Cited By (1)

    * Cited by examiner, † Cited by third party
    Publication number Priority date Publication date Assignee Title
    DE102004042094B3 (en) * 2004-08-30 2005-09-22 RUHR-UNIVERSITäT BOCHUM Digital data transmission method such as for pay TV using a single use code

    Families Citing this family (15)

    * Cited by examiner, † Cited by third party
    Publication number Priority date Publication date Assignee Title
    US6690798B1 (en) * 1997-12-10 2004-02-10 Ericsson Inc. Key transforms to discriminate between beams in a multi-beam satellite communication system
    DE19847941A1 (en) * 1998-10-09 2000-04-13 Deutsche Telekom Ag Common cryptographic key establishment method for subscribers involves successively combining two known secret values into a new common value throughout using Diffie-Hellmann technique
    DE19847944A1 (en) * 1998-10-09 2000-04-13 Deutsche Telekom Ag Establishing a common key between a central station and a group of subscribers involves using public mathematical group, higher order element of group and threshold process
    JP2000244655A (en) * 1999-02-18 2000-09-08 Fujitsu Ltd Network system having secrecy service function
    US6735313B1 (en) * 1999-05-07 2004-05-11 Lucent Technologies Inc. Cryptographic method and apparatus for restricting access to transmitted programming content using hash functions and program identifiers
    US7356696B1 (en) * 2000-08-01 2008-04-08 Lucent Technologies Inc. Proofs of work and bread pudding protocols
    EP1410555A4 (en) * 2000-09-11 2004-12-22 Jinglong F Zhang A method and apparatus employing one-way transforms
    US8718283B2 (en) * 2001-04-27 2014-05-06 Verizon Ireland Limited System and method for processing a shared secret
    CN100456669C (en) * 2003-09-22 2009-01-28 华为技术有限公司 Method of distributing group secret keys
    EP1564928A1 (en) * 2004-02-17 2005-08-17 Axalto S.A. Multiple users authertication method.
    US7620187B1 (en) 2005-03-30 2009-11-17 Rockwell Collins, Inc. Method and apparatus for ad hoc cryptographic key transfer
    WO2008071385A2 (en) 2006-12-13 2008-06-19 Roche Diagnostics Gmbh Use of acetals for the isolation of nucleic acids
    WO2008071384A1 (en) 2006-12-13 2008-06-19 Roche Diagnostics Gmbh Use of tde for the isolation of nucleic acids
    US7958354B1 (en) 2008-02-14 2011-06-07 Rockwell Collins, Inc. High-order knowledge sharing system to distribute secret data
    GB0805830D0 (en) * 2008-03-31 2008-04-30 British Telecomm Keys for protecting user access to media

    Family Cites Families (8)

    * Cited by examiner, † Cited by third party
    Publication number Priority date Publication date Assignee Title
    JP2606419B2 (en) * 1989-08-07 1997-05-07 松下電器産業株式会社 Cryptographic communication system and cryptographic communication method
    US5199070A (en) * 1990-12-18 1993-03-30 Matsushita Electric Industrial Co., Ltd. Method for generating a public key
    US5241597A (en) * 1991-02-01 1993-08-31 Motorola, Inc. Method for recovering from encryption key variable loss
    US5208859A (en) * 1991-03-15 1993-05-04 Motorola, Inc. Method for rekeying secure communication units by group
    US5412722A (en) * 1993-08-31 1995-05-02 Motorola, Inc. Encryption key management
    US5471532A (en) * 1994-02-15 1995-11-28 Motorola, Inc. Method of rekeying roaming communication units
    US5381479A (en) * 1994-02-28 1995-01-10 Motorola, Inc. Method for over the air rekeying of multiple communication groups
    US5528691A (en) * 1994-10-04 1996-06-18 Motorola, Inc. Method for automatically assigning enctyption information to a group of radios

    Cited By (1)

    * Cited by examiner, † Cited by third party
    Publication number Priority date Publication date Assignee Title
    DE102004042094B3 (en) * 2004-08-30 2005-09-22 RUHR-UNIVERSITäT BOCHUM Digital data transmission method such as for pay TV using a single use code

    Also Published As

    Publication number Publication date
    EP0768773A1 (en) 1997-04-16
    DE19538385A1 (en) 1997-04-17
    AU6572796A (en) 1997-04-17
    NZ299014A (en) 1998-09-24
    CA2181972A1 (en) 1997-04-15
    AU721074B2 (en) 2000-06-22
    ATE186432T1 (en) 1999-11-15
    US5903649A (en) 1999-05-11
    NO962672D0 (en) 1996-06-24
    NO962672L (en) 1997-04-15
    DE59603557D1 (en) 1999-12-09

    Similar Documents

    Publication Publication Date Title
    EP0768773B1 (en) Method of establishing a common key for authorised users by means of a threshold scheme
    EP1793525B1 (en) Method for changing the group key in a group of network elements in a network
    DE60303018T2 (en) Polynomial multi-user key generation and authentication method and system
    DE3919734C1 (en)
    DE60028645T2 (en) Device and method for distributing documents
    WO1999033270A1 (en) Method for securing a system protected by key hierarchy
    Ganeshkumar et al. A new one round video encryption scheme based on 1D chaotic maps
    WO1999025090A1 (en) Method for identifying proprietary data of traitors
    DE3631797C2 (en)
    EP4099611B1 (en) Generation of quantum secure keys in a network
    EP1119941B1 (en) Method for establishing a common key between an exchange and a group of subscribers
    DE102006036165B3 (en) Method for establishing a secret key between two nodes in a communication network
    EP1208669B1 (en) Method for establishing a common key for a group of at least three subscribers
    EP0902568B1 (en) Method for transmitting encrypted messages
    EP0400362B1 (en) Method for hierarchical key management with partial keys for transmitting digital information
    EP0765550A1 (en) Device for decoding decoding algorithms and method of encrypting and decoding such algorithms using the device
    DE102006009725A1 (en) Public code authenticating method, involves producing signature from combination of public code and generated authentication characteristic, and publishing public code, authentication characteristic and produced signature
    DE19524021C2 (en) Method for encrypting information in ATM systems
    DE4308825C2 (en) Process for secure data transmission over unsecured connections
    DE19718583C5 (en) End-to-end encryption
    DE4420967C2 (en) Decryption device for digital information and method for carrying out the encryption and decryption of this using the decryption device
    EP3955512A1 (en) Transmission of quantum secure keys over intermediate network nodes
    EP3005645A1 (en) Method for securing telecommunications traffic data
    DE19710413A1 (en) Method of allocating authorisations for symmetrical encoding and decoding data in computer network
    DE19942082A1 (en) Verifying integrity, authorship of and encoding/decoding text involves using one-time algorithm and/or symmetrical crypto algorithm dependent on one secret code

    Legal Events

    Date Code Title Description
    PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

    Free format text: ORIGINAL CODE: 0009012

    AK Designated contracting states

    Kind code of ref document: A1

    Designated state(s): AT BE CH DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE

    17P Request for examination filed

    Effective date: 19971016

    17Q First examination report despatched

    Effective date: 19971211

    GRAG Despatch of communication of intention to grant

    Free format text: ORIGINAL CODE: EPIDOS AGRA

    GRAG Despatch of communication of intention to grant

    Free format text: ORIGINAL CODE: EPIDOS AGRA

    GRAH Despatch of communication of intention to grant a patent

    Free format text: ORIGINAL CODE: EPIDOS IGRA

    GRAH Despatch of communication of intention to grant a patent

    Free format text: ORIGINAL CODE: EPIDOS IGRA

    GRAA (expected) grant

    Free format text: ORIGINAL CODE: 0009210

    AK Designated contracting states

    Kind code of ref document: B1

    Designated state(s): AT BE CH DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE

    PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

    Ref country code: SE

    Free format text: THE PATENT HAS BEEN ANNULLED BY A DECISION OF A NATIONAL AUTHORITY

    Effective date: 19991103

    Ref country code: GR

    Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

    Effective date: 19991103

    Ref country code: FI

    Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

    Effective date: 19991103

    Ref country code: ES

    Free format text: THE PATENT HAS BEEN ANNULLED BY A DECISION OF A NATIONAL AUTHORITY

    Effective date: 19991103

    REF Corresponds to:

    Ref document number: 186432

    Country of ref document: AT

    Date of ref document: 19991115

    Kind code of ref document: T

    REG Reference to a national code

    Ref country code: CH

    Ref legal event code: EP

    REG Reference to a national code

    Ref country code: CH

    Ref legal event code: NV

    Representative=s name: HUG INTERLIZENZ AG

    REF Corresponds to:

    Ref document number: 59603557

    Country of ref document: DE

    Date of ref document: 19991209

    GBT Gb: translation of ep patent filed (gb section 77(6)(a)/1977)

    Effective date: 19991220

    ET Fr: translation filed
    ITF It: translation for a ep patent filed

    Owner name: ORGANIZZAZIONE D'AGOSTINI

    REG Reference to a national code

    Ref country code: IE

    Ref legal event code: FG4D

    Free format text: GERMAN

    PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

    Ref country code: PT

    Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

    Effective date: 20000203

    Ref country code: DK

    Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

    Effective date: 20000203

    PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

    Ref country code: LU

    Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

    Effective date: 20000510

    Ref country code: AT

    Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

    Effective date: 20000510

    PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

    Ref country code: BE

    Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

    Effective date: 20000531

    PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

    Ref country code: IE

    Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

    Effective date: 20000621

    REG Reference to a national code

    Ref country code: IE

    Ref legal event code: FD4D

    PLBE No opposition filed within time limit

    Free format text: ORIGINAL CODE: 0009261

    STAA Information on the status of an ep patent application or granted ep patent

    Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

    26N No opposition filed
    BERE Be: lapsed

    Owner name: DEUTSCHE TELEKOM A.G.

    Effective date: 20000531

    PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

    Ref country code: MC

    Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

    Effective date: 20001130

    REG Reference to a national code

    Ref country code: GB

    Ref legal event code: IF02

    REG Reference to a national code

    Ref country code: FR

    Ref legal event code: PLFP

    Year of fee payment: 20

    PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

    Ref country code: CH

    Payment date: 20150520

    Year of fee payment: 20

    Ref country code: DE

    Payment date: 20150521

    Year of fee payment: 20

    Ref country code: GB

    Payment date: 20150521

    Year of fee payment: 20

    PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

    Ref country code: FR

    Payment date: 20150519

    Year of fee payment: 20

    Ref country code: IT

    Payment date: 20150519

    Year of fee payment: 20

    Ref country code: NL

    Payment date: 20150520

    Year of fee payment: 20

    REG Reference to a national code

    Ref country code: DE

    Ref legal event code: R071

    Ref document number: 59603557

    Country of ref document: DE

    REG Reference to a national code

    Ref country code: NL

    Ref legal event code: MK

    Effective date: 20160509

    REG Reference to a national code

    Ref country code: CH

    Ref legal event code: PL

    REG Reference to a national code

    Ref country code: GB

    Ref legal event code: PE20

    Expiry date: 20160509

    PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

    Ref country code: GB

    Free format text: LAPSE BECAUSE OF EXPIRATION OF PROTECTION

    Effective date: 20160509